Ice’ 
Frequently Asked Questions: GDPR 


ICE is committed to protecting and safeguarding the Personal Data of our members, customers and users 
(“Customers”). The following FAQs provide an explanation of the General Data Protection Regulation 
(“GDPR”) and how ICE is working to protect Personal Data. 


What is GDPR? 


GDPR is the new European data protection law that comes into effect on May 25, 2018. GDPR replaces 
the current EU Data Protection Directive (95/46/EC) and sets out a single set of rules across Europe on 
data privacy and protection. GDPR places new requirements on companies and organizations about how 
they process and safeguard the Personal Data of individuals residing in the EU. 


For more information on GDPR please visit: 
httos://gdpr-info.eu/ 
http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=614208 


What is Personal Data? 


For GDPR purposes, Personal Data is any information relating to a natural person that can be used, either 
directly or indirectly, to identify that person. Personal Data can be anything from a name, a photo, an email 
address, bank details, posts on social networking websites and medical information to online identifiers 
such as location data or a computer IP address. 


What does it mean to ‘process’ Personal Data? 


GDPR defines processing very broadly to include obtaining, recording, storing or holding data or carrying 
out an operation or a set of operations on that data. These operations can include a) organization, 
adaptation or alteration of the data, (b) retrieval, consultation or use of the data, (c) disclosure of the data 
by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, 
erasure or destruction of the data. 


My company is not in the EU. Does GDPR apply? 


GDPR can still apply to your company or organization even though it is not established in the EU. GDPR 
applies to all companies and organizations which process and hold the Personal Data of EU individuals, 
regardless of where the company or organization is located. GDPR will apply to any company or 
organization that has EU users or affiliates, and/or offers goods and services to, or monitors the behavior 
of, EU individuals. When determining whether GDPR applies to you, you should consider the very broad 
definition of Personal Data under GDPR and its application to non-EU based companies and organizations. 


How does ICE protect Personal Data? 
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ICE has implemented vigorous technical and organizational measures to protect the Personal Data of our 
Customers against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access 
to, Personal Data. For more information on ICE security please visit: https://www.theice.com/security. 


How is ICE complying with GDPR? 


GDPR imposes new and stricter requirements on companies and organizations, including in relation to the 
safe handling of data transfers outside of the EU and obtaining the consent of EU individuals to data 
processing. In order to comply with new GDPR obligations, ICE has developed additional terms for data 
processing which are to be signed and added to relevant customer and vendor agreements under which 
the Personal Data of EU individuals is processed. The additional terms provided by ICE contain all of the 
necessary terms to make our agreements fully compliant with GDPR and include the Standard Contractual 
Clauses set by the European Commission. 


How does ICE ensure that any cross-border data 
transfers comply with GDPR? 


GDPR provides strict regulations on the transfer of Personal Data of EU individuals outside of the EU. 
GDPR only permits Personal Data to be transferred outside of the EU if the country where it is being 
transferred has received an adequacy determination from the European Commission or if a valid data 
transfer mechanism is used. For this reason, ICE has incorporated the Standard Contractual Clauses set 
by the European Commission into our additional terms, which is a valid transfer mechanism under GDPR. 


Is ICE a processor or a controller of Personal Data? 


Whether ICE is considered a controller (the party that determines the purpose and means of processing) 
or a processor (the party that processes Personal Data on behalf of the controller) for GDPR purposes will 
depend on the type of agreement and the data processing activities being undertaken. In the additional 
terms, ICE has included the necessary terms to cover instances where we operate as both a processor and 
a controller and have included the Standard Contractual Clauses for both processors and controllers in the 
additional terms for this reason. 


Does ICE use sub-processors? 


Yes, a list of sub-processors is available on the Data Protection webpage at https://www.theice.com/data- 
protection. 


Who Can I Contact with Questions? 


ICE has appointed a Data Protection Officer (DPO) who is responsible for coordinating and monitoring 
GDPR compliance. All questions and inquiries regarding GDPR and data protection should be sent to 
Regulatory-DataProtection@Thelce.com. 
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